Configuration management for network activity detectors

ABSTRACT

Network activity detectors, such as firewalls, communicate with one another to form a Unified Threat Management System. A first network activity detector sends a request for configuration settings to a second network activity detector. The second network activity detector sends a set of configuration settings in response to the request. The configuration settings include information for detecting digital security threats and/or for responding to detected digital security threats. In this way, configuration settings are propagated from one network activity detector to another so that network activity detectors within a UTMS system are configured consistently, e.g., have up-to-date information for detecting and/or responding to digital security threats.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/889,069, filed on Feb. 5, 2018, entitled “CONFIGURATION MANAGEMENTFOR NETWORK ACTIVITY DETECTORS”, which is a continuation of U.S. patentapplication Ser. No. 14/666,815, filed on Mar. 24, 2015, issued as U.S.Pat. No. 9,888,018 on Feb. 6, 2018, and entitled “CONFIGURATIONMANAGEMENT FOR NETWORK ACTIVITY DETECTORS”, which is a continuation ofU.S. patent application Ser. No. 14/207,382, filed on Mar. 12, 2014,issued as U.S. Pat. No. 9,021,574 on Apr. 28, 2015, and entitled“CONFIGURATION MANAGEMENT FOR NETWORK ACTIVITY DETECTORS”, which claimsthe benefit of U.S. Provisional Application No. 61/778,305, filed onMar. 12, 2013. The content of these applications is hereby incorporatedby reference.

BACKGROUND 1. Field

The present disclosure relates generally to the field of digitalsecurity, and more specifically to the configuration management ofnetwork activity detectors, including network activity detectors thatdetect malicious network activities.

2. Description of Related Art

The proliferation of computing and networking technologies has presentedchallenges in the field of digital security. For instance, one networkedcomputer (i.e., a network node) may spread malicious computer data toother network nodes, and can inflict substantial system disruptionacross the network thereby causing economic loss.

Conventional digital security technologies include computer logic,generally embodied as “anti-virus programs” and/or “firewalls,” thatreside at network nodes and that scan for digital security threats suchas viruses, malware, worms, Trojan horses, and the like, in computerdata. To maintain effective, a conventional digital security solutionneeds to be configured and managed (e.g., updated) properly.Configuration management of conventional digital security solutionsoften results in undesirable tradeoffs among efficacy, configurability,and scalability.

For instance, conventional digital securities technologies requireupdates, such as computer virus signature files, in order to maintaineffectiveness against ever-changing digital security threats. Therelatively large size of the typical computer virus signature file(i.e., 50 megabytes (“MB”) to 300 MB) reduces the scalability ofconventional digital security systems in at least two ways. First, largeupdates utilize significant network bandwidth, and thus limit the numberof installations and/or frequency of updates that may be supported by agiven network infrastructure. Second, large updates require substantialdata processing by a computer processor, and thus limit the types ofnetwork nodes that can support installations of conventional digitalsecurity technologies to those with sufficient processing power.Therefore, scalability is compromised.

Further, the need to ensure the authenticity of updates also encouragestechnical implementations in which a few entities (e.g., manufacturersof conventional digital security technology solutions) control thedissemination of updates to many network nodes. The resulting networkarchitecture tend be flat in that many network nodes download updatesfrom A few authorized servers. Such an architecture makes it difficultfor an intermediate entity, such as the network administrator of acompany, to provide configurations (i.e., updates) that are uniquewithin the company's local network. Therefore, configurability iscompromised.

BRIEF SUMMARY

In some embodiments, a system of network activity detectors comprises afirst network activity detector, a second network activity detector, anda third network activity detector. The first network activity detectoris configured to run on a first network node of a network; send, to thesecond network activity detector, a first User Datagram Protocol (UDP)network packet, where the first UDP network packet comprises a requestfor configuration information; and receive, from the second networkactivity detector, a second UDP network packet, where the second UDPnetwork packet comprises a first configuration information, where thefirst configuration information includes a set of information fordetecting digital security threats.

The second network activity detector is configured to run on a secondnetwork node of the network; send, to the third network activitydetector, a third UDP network packet, where the third UDP network packetcomprises a request for configuration information; receive, from thethird network activity detector, a fourth UDP network packet, where thefourth UDP network packet comprises a second configuration information,where the second configuration information includes the set ofinformation for detecting digital security threats; and in response toreceiving the first UDP network packet from the first network activitydetector, send, to the first network activity detector, the firstconfiguration information, where the first configuration informationincludes the set of information for detecting digital security threats.

The third network activity detector is configured to run on a thirdnetwork node of the network; create the set of information for detectingdigital security threats; and in response to receiving the third UDPnetwork packet from the second network activity detector, send, to thesecond network activity detector, the second configuration information,where the second configuration information includes the set ofinformation for detecting digital security threats.

In some embodiments, a network activity detector that is running on anetwork node comprises a network interface configured to couple with anetwork; and a processor configured to identify a source ofconfiguration information, wherein the source is an another networkactivity detector coupled with the network, wherein the configurationinformation includes a set of information for detecting digital securitythreats; send, to the source, a request for the configurationinformation; receive, from the source, the configuration information;and send, to another network activity detector, the configurationinformation.

DESCRIPTION OF THE FIGURES

FIG. 1 depicts an exemplary unified threat management system employingnetwork activity detectors.

FIG. 2 depicts exemplary configuration settings for network activitydetectors.

FIG. 3 depicts an exemplary unified threat management system employingnetwork activity detectors.

FIG. 4 depicts an exemplary unified threat management system employingnetwork activity detectors.

FIG. 5 is a block diagram depicting an exemplary process for managingconfiguration settings by network activity detectors.

FIGS. 6A-6B depict an exemplary unified threat management systememploying network activity detectors.

FIG. 7 is a block diagram depicting an exemplary process for managingconfiguration settings by network activity detectors.

FIG. 8 depicts an exemplary performance of an encryption process.

FIG. 9 is a block diagram depicting an exemplary encryption process.

FIG. 10 depicts an exemplary computing system.

DETAILED DESCRIPTION

The following description is presented to enable a person of ordinaryskill in the art to make and use the various embodiments. Descriptionsof specific devices, techniques, and applications are provided only asexamples. Various modifications to the examples described herein will bereadily apparent to those of ordinary skill in the art, and the generalprinciples defined herein may be applied to other examples andapplications without departing from the spirit and scope of the variousembodiments. Thus, the various embodiments are not intended to belimited to the examples described herein and shown, but are to beaccorded the scope consistent with the claims.

The embodiments described herein include devices, techniques, and/orapplications for managing the configurations of network activitydetectors. A network activity detector resides at a network node anddetects network activities of interest, such as digital security threatslike computer viruses, malware, worms, Trojan horses, bots, intrusions(e.g., unauthorized access), exploits (e.g., escalation of privileges,violation of confidentiality), timed-based attacks (e.g., Denial ofService), so forth. An exemplary network activity detector is describedin U.S. Non-provisional patent application Ser. No. 13/479,222 filed onMay 23, 2012, now U.S. Pat. No. 8,347,391, which is incorporated hereinby reference for all purposes.

As a preliminary matter, it should be noted that although digitalsecurity threats is used as an example of what may be detected as an“activity of interest” by a network activity detector, other activitiesof interest exist and may also be detected using a network activitydetector. Examples of other activities interest may be the transmissionof obscene and/or copyrighted materials over a network, among others.Thus, while the examples and embodiments provided below refer to thedetection of digital security threats for sake of clarity andconsistency, the devices, techniques, and/or applications that areconveyed via the examples and embodiments provided are not limited tothe detection of digital security threats only.

Network activity detectors may be implemented into a variety ofelectronic devices, including desktop computers, laptop computers,tablet computers, phones, routers, firewalls, modems, gateways, and anyother suitable electronic devices that support network communications.In some embodiments, a network activity detector is a computer programthat runs on a network node. In other embodiments, a network activitydetector is part of the electronic circuitry (e.g., application-specificintegrated circuitry) of a network node.

The configuration settings of a network activity detector govern theoperation of the network activity detector. For instance, theconfiguration settings of a network activity detector may control thetypes of digital security threats that are to be detected by the networkactivity detector. The configuration settings may also control theresponse of the network activity detector to an intrusion. Given thelarge number of network activity detectors that may exist in a network,robust mechanisms for managing the configuration settings of multiplenetwork activity detectors are desirable.

1. Overview

FIG. 1 illustrates multiple network activity detectors that form anexemplary system 100 over network 101. The term “Unified ThreatManagement System” (UTMS) is used for purposes here to refer to a systemof network activity detectors such as system 100. Network 101 may be theinternet, a private network, a public network, or a combination thereof.UTMS system 100 includes a systems operator 102, which may be, e.g., atelevision cable company. UTMS system 100 also includes another systemsoperator 103, which may be, e.g., an internet service provider. Aportion of UTMS system 100 is an enterprise network 104.

Systems operator 102 provides network access to network nodes 110-112,which may (but need not) be physically adjacent, via an integrated modemrouter 110. Network node 111 is a laptop computer and computing device112 is a tablet computer. Systems operator 103 provides network accessto network nodes 120-124, which may (but need not) be located within ata small business company. Network node 120 is a router and is connectedto network 101 and to computing devices 121-124. Enterprise network 104is an enterprise network infrastructure that provides network access tonetwork nodes 130-136 and 140-144, which may (but need not) be locatedat geographically separate offices of a large business company 105.Network nodes 130 and 140 are routers connected to enterprise network104 and serve computing devices 131-136 and 141-144, respectively.

One or more of network nodes 110-112, 120-124, 130-136, and 140-144 inUTMS system 100 can each embody a network activity detector. UTMS system100 thus highlights the need for the robust configuration management ofnetwork activity detectors that are spread across a UTMS system.Consider, for instance, that systems operator 102 may wish to manage theconfiguration of downstream network activity detectors in its downstreamnetwork, and large business company 105 may wish to maintain distinctconfiguration settings for network activity detectors in different partsof its network infrastructure.

2. Configuration Settings

As discussed above, the configuration settings of a network activitydetector govern the operation of the network activity detector. FIG. 2illustrates exemplary configuration settings 201 of a network activitydetector. As shown, configuration settings 201 include the settings of,e.g., enabling or disabling virus detection by a network activitydetector, specifying whether a network activity detector should cloak(i.e., hide) a network node when a digital security threat is detected,and the like.

Configuration settings 201 also include information 202 regarding themeta-expressions that are used by the network activity detector todetect specific network activities. As described in U.S. Non-provisionalpatent application Ser. No. 13/479,222 filed on May 23, 2012,incorporated herein by reference for all purposes, meta-expressions areused by a network activity detector to detect network activities ofinterest. Put another way, the specific digital security threats thatare to be detected by a network activity detector may be governed by themeta-expressions being used by the network activity detector. Also, asdescribed in U.S. Non-provisional patent application Ser. No.13/479,222, it has been determined that only a handful ofmeta-expressions are necessary to detect all known digital securitythreats and their variants (even if the variants are unknown), whichtotal over 2.5 million in number. As shown in FIG. 2, the configurationsettings of the exemplary network activity detector includes twelvemeta-expressions for this purpose.

In some embodiments, a web-based user interface, such as webpage 200, ispresented by the network activity detector so that a user can change theconfiguration settings of the network activity detector. In someembodiments, it is possible for a network activity detector to receiveconfiguration settings programmatically over a network from othernetwork activity detectors. That is, configuration settings that arereceived by a network activity detector over a network can beimplemented into the network activity detector without requiring userintervention. The received configuration settings can include one ormore settings shown on webpage 200 and meta-expressions for detectingdigital security threats.

Exemplary transmissions of configuration settings between networkactivity detectors are discussed with reference to FIG. 3. In FIG. 3,UTMS system 300 includes systems operator 302, which controls networkgateway 303 connected to network 301. Gateway 303 provides networkaccess to network nodes 311 and 312 by way of modem 310. Network nodes311 and 312 are a laptop computer and a tablet computer, respectively.Modem 310, laptop computer 311, and tablet computer 312 each embodies anetwork activity detector. For example, a network activity detector isimplemented into the chipset of modem 310 and another is implementedinto the operating system kernel of tablet computer 312. Also, a networkactivity detector is installed as an application program into theoperating system of laptop computer 311.

An exemplary transmission of configuration settings between networkactivity detectors is now discussed with reference to network nodes 310and 311 of FIG. 3. During start-up, the network activity detector oflaptop computer 311 sends a request for configuration settings to adesignated network activity detector. The designated network activitydetector can be any other network activity detector, e.g., a networkactivity detector that is running on a different network node like modem310. In response to the request from the network activity detector oflaptop computer 311, the network activity detector of modem 310 sends aset of configuration settings, via network, to laptop computer 311. Uponreceiving the configuration settings, the network activity detector oflaptop computer 311 implements the received configuration settings. Inaddition, the network activity detector of laptop computer 311 may beginto operate based on the configuration settings.

Another exemplary transmission of configuration settings between networkactivity detectors is now discussed with reference to network nodes 310and 312 of FIG. 3. During start-up, the network activity detector oftablet computer 312 sends a request for configuration settings to anetwork activity detector that is running on modem 310. In response tothe request, the network activity detector of modem 310 sends a set ofconfiguration settings to tablet computer 312, which are thenimplemented and used by the network activity detector of tablet computer312.

Notably, the configuration settings that are sent by the networkactivity detector of modem 310 to laptop computer 311 and to tabletcomputer 312 may be similar, identical, or identical in part. By sendingconfiguration settings that are consistent (meaning that theconfiguration settings are at least identical in part), the networkactivity detector of modem 310 ensures that its downstream networkactivity detectors (i.e., those of laptop computer 311 and tabletcomputer 312) are operating based on consistent configuration settings.In this way, modem 310 may ensure that the network activity detectors oflaptop computer 311 and tablet computer 312 are able to detect the samedigital security threats and are configured to respond to detecteddigital security threats in the same manner.

Yet another exemplary transmission of configuration settings betweennetwork activity detectors is now discussed with reference to gateway303 and modem 310 of FIG. 3. Gateway 303 is operated by systems operator302 that provides internet networking services, meaning that gateway 303acts as a conduit of network traffic between network 301 and thecustomers of systems operator 302. It is thus desirable for systemsoperator 302 to minimize digital security threats that pass throughgateway 303.

One way in which systems operator 302 can help prevent the transmissionof digital security threats via its infrastructure (e.g., gateway 303)is by controlling the configuration settings of network activitydetectors that are downstream from its infrastructure. Systems operator302 may do so by, e.g., sending configuration settings to networkactivity detectors that run on downstream devices.

In the present example, the network activity detector of modem 310 isconfigured to, during start-up, request configuration settings from thenetwork activity detector of gateway 303. In response to the request,the network activity detector of gateway 303 sends a set ofconfiguration settings to modem 310. The received configuration settingsare implemented by modem 310. Since, as discussed above, the networkactivity detector of modem 310 is responsible for sending configurationsettings to downstream network nodes 311 and 312, modem 310 can provideconfiguration settings—that are consistent with those received fromgateway 303—to network nodes 311 and 312. In this way, systems operator302 (which controls gateway 303) may ensure that the network activitydetectors of modem 310, laptop computer 311, and tablet computer 312 areable to detect the same digital security threats and are configured torespond to detected digital security threats in a consistent manner.

It should be noted that, while the network activity detector of gateway303 is primarily responsible for controlling the configuration settingsof other network activity detectors in UTMS system 300, it is possiblefor other network activity detectors of UTMS system 300 (i.e., thoserunning on network nodes 310-312) to become senders of configurationsettings, if necessary. That is, any one (or more) network activitydetectors of UTMS system 300 can be configured to provide configurationsettings to other network activity detectors.

The ability of a network activity detector to receive, and to provide,when needed, configuration settings to other network activity detectorssignificantly increases the scalability of a UTMS system. For example,should tablet computer 312 of UTMS system 300 become configured to actas a mobile wireless access hotspot for cellular phone 313 to accessnetwork 301, the network activity detector of tablet computer 312 canprovide configuration settings to a network activity detector that isrunning on cellular phone 313. In this way, UTMS system 300 can scale toaccommodate new network activity detectors that come online in a UTMSsystem.

Further, a network activity detector can provide configuration settingsthat are consistent with or different from the configuration settingsthat are received by the network activity detector. That is to say, theconfiguration settings that are sent, e.g., by tablet computer 312 tocellular phone 313 can be consistent with or can be different from theconfiguration settings that are used by tablet computer 312. In thisway, subsets of network nodes in a UTMS system can have network activitydetectors that operate with different configurations settings, therebyimproving the configurability of the UTMS system.

In some instances, the appropriate configuration settings to be sent tothe network activity detector of cellular phone 313 is a set that isconsistent with the configuration settings imposed by systems operator302 by way of gateway 303. In some instances, the appropriateconfiguration settings to be sent to the network activity detector ofcellular phone 313 are a set of more restrictive configuration settingsas compared with the configuration settings from gateway 303. Theprovision of more restrictive configuration settings further reduces thechance of cellular phone 313 becoming compromised by a digital securitythreat. By the same token, the provision also further reduces the chanceof tablet computer 312 becoming comprised by a digital security threatthat originates from cellular phone 313. The latter result is especiallyimportant for a device such as tablet computer 312 that allowstethering.

In some embodiments, whether a network activity detector providesconfiguration settings to other network activity detectors is determinedbased the mode of operation of the network activity detector. In a firstmode of operation, which may be referred to as a “super” mode, a networkactivity detector can send configuration settings to other networkactivity detectors. For purposes of this disclosure, a network activitydetector that is operating in “super” mode is referred to as a supernetwork activity detector, and a network node having a super networkactivity detector is referred to as a “super network node.” A supernetwork activity detector sends configuration settings to a downstreamnetwork activity detector when a request for configuration settings isreceived from the downstream network activity detector.

In a second mode of operation, which may be referred to as a “standard”mode, a network activity detector is not configured to sendconfiguration settings to other network activity detectors. For purposesof this disclosure, a network activity detector that is operating in“standard” mode is referred to as a standard network activity detector,and a network node having a standard network activity detector that isoperating in “standard” mode is referred to as a “standard networknode,” or simply a “network node.”

In some embodiments, the mode of operation is managed via aconfiguration setting at a network activity detector. The mode ofoperation of such a network activity detector is thus switched bychanging its configuration settings. In some embodiments, the mode ofoperation switches automatically (e.g., programmatically). For instance,a network activity detector may programmatically switch to super modewhen a request for configuration settings is received.

Regardless of operation mode, a network activity detector may requestconfiguration settings from a super network activity detector. When anetwork activity detector receives configuration settings from a supernetwork activity detector, the configuration settings are processed andused by the receiving network activity detector. As discussed above, animportant aspect of configuration settings is the inclusion ofmeta-expressions, which can be used by the receiving network activitydetector to detect digital security threats. Put another way, a supernetwork activity detector can itself request for configuration settingsfrom another super network activity detector.

An exemplary implementation of network activity detectors is nowdiscussed with respect to FIG. 4. In FIG. 4, network nodes 402-405 areconnected directly or indirectly to network 401 and form a UTMS system400. In some embodiments, network nodes 402, 403, 404, and 405correspond to gateway 303, modem 310, laptop computer 311, and tabletcomputer 312 illustrated in FIG. 3. Each of network nodes 402-405embodies a network activity detector.

Network nodes 404 and 405 are standard nodes, meaning they are notconfigured to provide configuration settings to other network activitydetectors. In contrast, super network node 402 does embody a supernetwork activity detector that is configured to provide configurationsettings to other network activity detectors, such as those in UTMSsystem 400. Further, super network node 403 embodies a super networkactivity detector that receives configuration settings from supernetwork node 402 and that is configured to relay at least portions ofthe received configuration settings to the network activity detectors ofstandard network nodes 404 and 405. Thus, super network node 402controls the configuration settings of downstream network nodes 403-405.

FIG. 5 illustrates exemplary process 500 which may be performed by anetwork activity detector to participate in a UTMS system as describedabove. In some embodiments, process 500 is performed by one or more ofthe network activity detectors of network nodes 402-405 (FIG. 4). Atblock 510, the network activity detector that is carrying out process500 (referred to as the “local network activity detector”) identifies asuper network activity detector to which it is to send a request forconfiguration settings.

In some embodiments, the identity of the super network activity detectoris managed via a configuration setting at the local network activitydetector. The configuration setting may have been previously obtained bythe local network activity detector or may have been previously storedinto the local network activity detector by way of a suitable mechanism,such as during a computer program installation process. In someembodiments, the identity of the super network activity detector ishardcoded into the computer-executable instructions of the local networkactivity detector. The identity of the super network activity detectornode can be a null value, because it is possible for a network activitydetector to not request configuration settings from another networkactivity detector. Such a network activity detector could produce itsown configuration settings based on user input, creation ofmeta-expressions as described in U.S. Non-provisional patent applicationSer. No. 13/479,222 filed on May 23, 2012, or other suitableconfiguration processes.

At block 520, the local network activity detector sends a request forconfiguration settings to the super network activity detector identifiedat block 510. In some embodiments, requests for configuration settingsare sent using User Datagram Protocol (UDP) datagrams. UDP datagrams areused because UDP introduces relatively low overhead as compared to othertransport protocols. Also, because UDP is stateless, its use reduces theamount processor power required that is to track UDP traffic at anetwork activity detector. The stateless nature of UDP is such that ifan initial UDP datagram (representing a request for configurationsettings) is dropped en route to its destination network node, thesending of a subsequent UDP datagram makes up for the dropped UDPdatagram. Even though it would not be aware of the dropped UDP datagram,when the super network activity detector at the destination network nodefinally receives the subsequent UDP datagram, it would provide the mostup-to-date configuration settings. Those configuration settings wouldleapfrog any intermediate configuration settings, if any, that weremissed due to the dropped UDP datagram. Despite the benefits provided bya stateless transport layer protocol (such as UDP), it should be notedthat communication between network activity detectors can,alternatively, utilize a different network transport layer protocol. Forexample, in some embodiments, requests for configuration settings and/orconfiguration settings can be sent using Transmission Control Protocol(TCP) datagrams, even though TCP communications are considered stateful.

In some embodiments, block 520 is performed at timed intervals so thatthe local network activity detector requests configuration settings fromtime to time. The duration of the timed interval generally depends onthe size of network packets that are used for updating configurationsettings and the processing overhead that are required. In someembodiments, the timed interval is a predetermined interval of betweenone to five minutes. In some embodiments, the timed interval changesbased on processor load on the local network activity detector.

At block 530, the local network activity detector receives configurationsettings from a super network activity detector and begins to operatebased on the received configuration settings. The received configurationsettings can include meta-expressions that are used by the local networkactivity detector to detect digital security threats. At block 540, thelocal network activity detector determines whether it is operating insuper mode. If the network activity detector is operating in super mode,processing proceeds to block 550. Otherwise, processing ends. At block550, the local network activity detector receives a request forconfiguration settings from another network activity detector. At block560, the local network activity detector creates a set of configurationsettings. The created configuration settings can includemeta-expressions for detecting digital security threats. At block 570,the local network activity detector sends the created configurationsettings to the requesting network activity detector.

3. Helixing

Another exemplary implementation of network activity detectors is nowdiscussed with respect to FIG. 6A-6B. In FIG. 6, network nodes 610-614and 620-626 are connected directly or indirectly to network 601 and forma UTMS system 600. In some embodiments, network nodes 610-614 and620-626 correspond to the network nodes of large business company 105(FIG. 1).

Super network node 612 embodies a super network activity detector thatprovides configuration settings to the other network nodes of UTMSsystem 600, i.e., network nodes 610-614 and 620-626. Depending on theprocessing capabilities of super network node 612 and the processingload caused by other running processes, super network node 612 mayexperience high levels of processor load that comprise its ability toperform as a super network node. For instance, under high processorload, the super network activity detector of super network node 612 maynot keep up with incoming requests for configuration settings. When thisoccurs, it would be desirable for the super network activity detector ofsuper network node 612 to scale back its responsibilities to maintainthe integrity of UTMS system 600.

One way in which the super network activity detector of super networknode 612 can scale back its responsibilities is to offload some of itsconfiguration management processes to other network activity detectorswithin UTMS system 600. In some embodiments, this is done via a“helixing” process. The helixing process increases the number of supernetwork nodes within a UTMS system and spreads out requests forconfiguration settings to those additional super network nodes.

More specifically, the super network activity detector of super networknode 612 can initiate the helixing process by identifying another targetnetwork activity detector within UTMS system 600 that can help respondto requests for configuration settings. The super network activitydetector of super network node 612 is aware of the existence of othernetwork activity detectors in UTMS system 600 because, as a supernetwork activity detector, it has previously received requests forconfiguration settings from other network activity detectors in UTMSsystem 600. For instance, the super network activity detector of supernetwork node 612 receives requests for configuration settings from thenetwork activity detectors of network nodes 610, 611, 613, 614 and620-626. As such, the super network activity detector of super networknode 612 is aware of their existence, and can therefore identify one (ormore) of these network activity detectors as a target network activitydetector.

A network activity detector need not be operating in super mode in orderto be identified as a target, because the targeting super networkactivity detector can instruct the targeted network activity detector toswitch to super mode, if necessary. For instance, the super networkactivity detector of super network node 612 can instruct the targetnetwork activity detector of network node 620 to operate in super mode,if the target network activity detector is not operating in standardmode, by sending appropriate configuration settings to the targetnetwork activity detector of network node 620. In response, the networkactivity detector of network node 620 begins to operate in super mode.FIG. 6B illustrates network node 620 as a super network node.

The super network activity detector of super network node 612 continuesthe helixing process by instructing other network activity detectors inUTMS system 600 to request for configuration settings from the networkactivity detector of network node 620, which is now operating in supermode. For instance, when the super network activity detector of supernetwork node 612 receives requests for configuration settings from thenetwork activity detectors of network nodes 621-626, it responds bysending configuration settings that instruct requesting network activitydetector(s) to, in the future, request for configuration settings fromthe super network activity detector of super node 620. In this way,super network node 612 offloads at least a part of its responsibility toprovide configuration settings to super network node 620, therebytransferring some processing load from itself to super network node 620,and ensuring that configuration settings are transmitted as necessary tomaintain the integrity of UTMS system 600.

Notably, while network nodes that are visually arranged in FIG. 6B suchthat super network nodes 612 and 620 serve a number of adjacent networknodes in network portions 619 and 629, respectively, there is norequirement for physical proximity between a super network node and astandard network node. That is to say, e.g., the network activitydetector of standard network node 626 can request configuration settingsfrom the network activity detector of super network node 612, regardlessof whether the two network nodes are physically proximate.

FIG. 7 illustrates exemplary process 700 which may be performed by anetwork activity detector to perform the above-described helixingprocess. Process 700 can be performed by one or more network activitydetectors of a UTMS system. In some embodiments, process 700 isperformed by the network activity detectors of network nodes 612 and 620(FIGS. 6A-6B).

At block 710, the network activity detector that is carrying out process700 (referred to as the “local network activity detector”) identifies asuper network activity detector to which it is to send a request forconfiguration settings. At block 720, the local network activitydetector sends a request to the identified super network activitydetector. At block 730, the local network activity detector receivesconfiguration settings from the identified super network activitydetector and begins to operate based on the received configurationsettings. At block 740, the local network activity detector determineswhether it is operating in “super” mode. If the local network activitydetector is operating in “super” mode, processing proceeds to block 750.Otherwise, processing continues to block 745.

At block 745, the local network activity detector reviews the receivedconfiguration settings to determine if they include an instruction forthe local network activity detector to operate in “super” mode. If thereceived configuration settings include such an instruction, processingproceeds to block 750. Otherwise, processing ends.

At block 750, the local network activity detector receives a request forconfiguration settings from another network activity detector. At block755, the local network activity detector determines whether it isexperiencing high levels of processor load. For instance, a processorload of 85% utilization, on average over a 24-hour period may beconsidered a high level of processor load.

If the local network activity detector is experiencing high processorload, processing proceeds to block 765. At block 765, the local networkactivity detector identifies a target network activity detector based onpreviously received requests for configuration information. At block766, the local network activity detector creates configuration settingsthat, among other things, instruct the target network activity detectorto operate in super mode. In addition, at block 767, the local networkactivity detector creates configuration settings that, among otherthings, instruct a receiving network activity detector to requestconfiguration settings from the target network activity detector, in thefuture.

If the local network activity detector is not experiencing highprocessor load, processing proceeds to block 760. At block 760, thelocal network activity creates configuration settings. In contrast tothe configuration settings created at block 766, the configurationsettings created at block 760 do not instruct a receiving networkactivities detector to switch to “super” mode. Also, in contrast theconfiguration settings created at block 767, the configuration settingscreated at block 760 do not instruct a receiving network activitiesdetector to request for configuration settings from another supernetwork activity detector in the future. At block 770, the configurationsetting(s) created at blocks 760, 766, and/or 767 (which are created inresponse to the request for configuration settings received at block750) are sent by the local network activity detector to the requestingnetwork activity detector. Processing ends after block 770.

4. Encryption

Configuration settings can be encrypted to improve the integrity of aUTMS system. Configuration settings can be encrypted during transmissionbetween network nodes. It is desirable for encrypted configurationsettings to be difficult to decrypt without valid decryption credentialsso that configuration settings cannot be recognized as such duringtransmission. Configuration settings can also be encrypted while theyreside at a network node. An encryption mechanism would be futile ifconfiguration settings are compromised while in decrypted form.

In some embodiments, configuration settings are encrypted using anencryption mechanism that utilizes local operating parameters of anindividual network activity detector that cannot be easily identifiedoutside the operating environments of the network activity detector. Putanother way, the encryption mechanism encrypts, at least in part, basedon local operating parameters of an operating environment.

By way of background, various asymmetric key algorithms and symmetrickey encryption algorithms generate encryption keys and decryption keysbased on a number. In asymmetric key algorithms, the number is used togenerate complementary public and private keys. In symmetric keyalgorithms, the number is used to generate a shared key. In thiscontext, a number of high entropy is preferred because the uncertaintybetween the digits of the number decreases the possibility ofreverse-engineering the number (and thereby obtaining the necessary keyfor decryption). A number such as “11112222” has low entropy and is notpreferred for generating cryptography keys because the digits of“11112222” are somewhat predictable. One of ordinary skill in the artwould recognize that a number of high entropy is often referred to as a“random” number in the art because the digits of such a number appearrandom.

In some embodiments, configuration settings are encrypted based on arandom number that is in turn based on: (1) a unique identifier (“UID”)of a network node, (2) the UID of a processor of the network node,and/or (3) the UID of a process that is running on the processor of thenetwork node. The UID of a network node can be, e.g., the MAC addressthat is reported by the network node. The UID of a processor can be,e.g., the serial number of a central processing unit (“CPU”) that may beaccessed through software instructions such as processor operation codeinstructions (also referred to as “opcodes”). The UID of a process canbe, e.g., an operating environment process identifier (also referred toas “PIDs”). UIDs can be combined by way of mathematical or logicaloperations (e.g., mathematical addition, logical addition) to form astring that is then given as input to a hash function (e.g.,Message-Digest Algorithm, Secure Hash Algorithm) to produce a numberhaving high entropy for use in an encryption algorithm.

The use of UIDs for encrypting configuration settings is furtherdescribed with reference to FIG. 8, which depicts a standard networknode 800 and a super network node 810. Standard network node 800includes network interface 801 and CPU 802, and operates under anoperating environment that provides shell 803. Network interface 801provides MAC address information. CPU 802 provides serial numberinformation. Shell 803 provides PID information regarding processes thatare running on standard network node 800. The foregoing PID informationis provided to a hash function 804, which computes a number having highentropy that is then provided to key generator function 805, whichcomputes a private key 806 and a public key 807 for purposes ofencrypting configuration settings that reside at and/or that are sent tostandard network node 800. Standard network node 800 makes public key807 available to other network nodes, e.g., by including public key 807in requests for configuration settings that are sent to super networkactivity detectors. Super network node 810 uses encryption function 812and public key 807 to encrypt configuration settings 813 that are thensent to standard network node 800.

Configuration settings 813, once received by standard network node 800,can remain encrypted until their contents (e.g., meta-expressions) areneeded to carry out processes for detecting digital security threats.When needed, configuration settings 813 are loaded into processor memoryand provided to decryption function 808 so that standard network 800 canoperate based on the configuration settings.

FIG. 9 illustrates exemplary process 900 which may be performed by anetwork activity detector at a network node to carry out theabove-described encryption techniques. At block 910, the networkactivity detector that is carrying out process 900 (referred to as the“local network activity detector”) obtains one or more UIDs. Theobtained UIDs may include a MAC ID, a CPU serial number, and/or a PID.At block 920, the obtained UIDs are combined and a hash function is usedto produce a number having high entropy based on the UIDs. At block 930,one or more keys are calculated based on the hash number. The keys maybe a private key, a public key, and/or a shared key. At block 940, oneof keys obtained at block 930 is sent to a super network activitydetector. At block 950, configuration settings that have been encryptedusing the same key are received by the local network activity detector.At block 960, the local network activity detector decrypts the receivedconfiguration settings using one of the keys obtained at block 930. Atblock 970, the decrypted configuration settings are used by the localnetwork activity detector to detect network digital security threats.

Process 900 is desirable for at least three reasons. First, the numberthat is obtained based on the above-described UIDs has high entropy(even before the application of a hash function), and is thus a goodrandom number for purposes of encryption. For instance, MAC addressesare intended to be universally unique. Second, the number is difficultto reverse-engineer because it is difficult to identify (e.g.,reverse-engineer) a CPU serial number without physical or low-levelaccess to a CPU, and because it is difficult to predict the PID numberof a running processes. Third, the decrypted output of block 960, whichis a set of configuration settings that includes meta-expressions fordetecting digital security threats, can reside within processor memory.Unlike larger signature files, meta-expressions (which typically totalless than 1 kilobyte in size) can reside completely within the internalmemory of many modern processors without needing to be stored inexternal memory locations during operation. As one of ordinary skill inthe art would recognize, it would be difficult to obtain the decryptedmeta-expressions (and/or other configuration settings) from the internalmemory of a CPU without physical or low-level access (e.g., debug mode)to the CPU, both of which would be difficult for a malicious entity toachieve in a typical network-based attack.

Portions of the above-described processes may be implemented inexemplary computing system 1000 illustrated in FIG. 10. In someembodiments, computing system 1000 is a network device, such as arouter, gateway, and a firewall, or the like. In some embodiments,computing system 1000 is a gateway device, such as a modem, or the like.In some embodiments, computing system 1000 is a mobile device, such as adesktop computer, a laptop computer, a cellular phone, a tablet, or thelike. In some embodiments, computing system 1000 is a network interface“card.”

As shown in FIG. 10, the computing system 1000 includes a computermotherboard 1002 with bus 1010 that connects I/O section 1004, one ormore central processing units (CPU) 1006, and a memory section 1008together. Memory section 1008 may have memory module 1020 related to it.Memory module 1020 may be, for example, a flash memory and/or aremovable memory device. The I/O section 1004 is connected to networkinterface 1012, which receives and/or transmits network packets. I/Osection 1004 may be connected to display 1014, input device 1016, and/orstorage unit 1018. Memory section 1008, memory module 1020, and/orstorage unit 1022 can store (e.g., tangibly embody) a computer-readablemedium that contains computer-executable instructions and/or data forperforming any one of the above-described processes using CPU 1006. Thecomputer-executable instructions may be written, for example, in ageneral-purpose programming language (e.g., LISP, C, JSON) or somespecialized application-specific language. Input device 1016 may be aUSB port supporting input from USB-compliant devices, such as akeyboard, a mouse, a memory stick, or the like. At least some valuesbased on the results of the above-described processes can be saved intomemory such as memory 1008, memory module 1020, and/or disk storage unit1018 for subsequent use.

Portions of above-described processes also may be implemented into aprocessor by way of specifically arranged integrated circuits (e.g.,application-specific integrated circuits). In some embodiments, theintegrated circuit can be part of the main processor of a device, suchas the main processor of a cellular phone. In some embodiments, theintegrated circuit can be part of an auxiliary processor of a device,such as a processor that is connected to the motherboard of a laptop.The integrated circuits can contain computer-executable instructionsand/or data for performing any one of the above-described processes. Thecomputer-executable instructions may be written, for example, in aspecialized application-specific (e.g., processor-specific) language.

Although only certain exemplary embodiments have been described indetail above, those skilled in the art will readily appreciate that manymodifications are possible in the exemplary embodiments withoutmaterially departing from the novel teachings and advantages of thisdisclosure. For example, aspects of embodiments disclosed above can becombined in other combinations to form additional embodiments.Accordingly, all such modifications are intended to be included withinthe scope of this technology.

What is claimed is:
 1. A method of promoting security of a computernetwork, the method comprising: sending, by a first network activitydetector of a first device coupled with a network, a request forconfiguration information to a second network activity detector of asecond device identified as being a source of configuration information,wherein the second device is coupled with the network, wherein theconfiguration information includes a set of information for detectingdigital security threats, wherein the first device is separate anddistinct from the second device; receiving, by the first networkactivity detector, the configuration information from the second networkactivity detector; and sending, by the first network activity detector,the configuration information to a third network activity detector of athird device, wherein the third device is separate and distinct from thefirst device and the second device.
 2. The method of claim 1, whereinthe request is sent using a UDP network packet.
 3. The method of claim1, wherein: the configuration information sent by the first networkactivity detector to the third network activity detector is at leastpartially encrypted; and the encryption of the configuration informationis based on one or more of a MAC address of the third network activitydetector, a process identifier of an operating environment running onthe third network activity detector, and a serial number of a processorof the third network activity detector.
 4. The method of claim 1,further comprising creating another set of configuration information. 5.The method of claim 1, further comprising: receiving, from the thirdnetwork activity detector, a request for the configuration information;and instructing, by the first network activity detector, the thirdnetwork activity detector to send future requests for configurationinformation to a fourth network activity detector, wherein the fourthnetwork activity detector is different from the first network activitydetector.
 6. The method of claim 5, further comprising: instructing, bythe first network activity detector, the fourth network activitydetector to respond to requests for configuration information.
 7. Anon-transitory computer-readable storage medium havingcomputer-executable instructions, wherein the computer-executableinstructions, when executed by one or more computer processors, causethe one or more computer processors to promote security of a computernetwork, the computer-executable instructions comprising instructionsfor: sending, by a first network activity detector of a first devicecoupled with the network, a request for configuration information to asecond network activity detector of a second device identified as beinga source of configuration information, wherein the second device iscoupled with the network, wherein the configuration information includesa set of information for detecting digital security threats and whereinthe first device is separate and distinct from the second device;receiving, from the second network activity detector, by the firstnetwork activity detector, the configuration information; and sending,by the first network activity detector, the configuration information toa third network activity detector of a third device, wherein the thirddevice is separate and distinct from the first device and the seconddevice.
 8. The non-transitory computer-readable storage medium of claim7, wherein the request is sent using a UDP network packet.
 9. Thenon-transitory computer-readable storage medium of claim 7, wherein: theconfiguration information sent by the first network activity detector tothe third network activity detector is at least partially encrypted; andthe encryption is based on one or more of a MAC address of the thirdnetwork activity detector, a process identifier of an operatingenvironment running on the third network activity detector, and a serialnumber of a processor of the third network activity detector.
 10. Thenon-transitory computer-readable storage medium of claim 7, wherein thecomputer-executable instructions further comprises instructions forcreating another set of configuration information.
 11. Thenon-transitory computer-readable storage medium of claim 7, wherein thecomputer-executable instructions further comprises instructions for:receiving, from the third network activity detector, a request for theconfiguration information; and instructing, by the first networkactivity detector, the third network activity detector to send futurerequests for configuration information to a fourth network activitydetector, wherein the fourth network activity detector is different fromthe first network activity detector.
 12. The non-transitorycomputer-readable storage medium of claim 11, wherein thecomputer-executable instructions further comprises instructions for:instructing, by the first network activity detector, the fourth activitydetector to respond to requests for configuration information.
 13. Thecomputer-readable storage medium of claim 7, wherein the second networkactivity detector is in a predefined operating mode.
 14. A first networkactivity detector of a first device, the first network activity detectorcomprising: a network interface configured to couple with a network; anda processor configured to: send a request for configuration informationacross the network to a second network activity detector of a seconddevice identified as being a source of configuration information,wherein the configuration information includes a set of information fordetecting digital security threats, and wherein the first device isseparate and distinct from the second device, receive the configurationinformation from the second network activity detector; and send theconfiguration information to a third network activity detector of athird device, the third device being separate and distinct from thefirst and second devices.
 15. The first network activity detector ofclaim 14, wherein the request is sent using a UDP network packet. 16.The first network activity detector of claim 14, wherein the networkactivity detector is a first network activity detector, and wherein: theconfiguration information sent by the first network activity detector tothe third network activity detector is at least partially encrypted; andthe encryption is based on one or more of a MAC address of the thirdnetwork activity detector, a process identifier of an operatingenvironment running on the third network activity detector, and a serialnumber of a processor of the third network activity detector.
 17. Thefirst network activity detector of claim 14, wherein the processor isfurther configured to create another set of configuration information.18. The first network activity detector of claim 14, wherein the networkactivity detector is a first network activity detector and the processorof the first network activity detector is further configured to:receive, from the third network activity detector, a request for theconfiguration information; and instruct, by the first network activitydetector, the third network activity detector to send future requestsfor configuration information to a fourth network activity detector,wherein the fourth network activity detector is different from the firstnetwork activity detector.
 19. The first network activity detector ofclaim 18, wherein the processor is further configured to: instruct, bythe first network activity detector, the fourth activity detector torespond to requests for configuration information.
 20. The networkactivity detector of claim 15, wherein the second network activitydetector is in a predefined operating mode.